Security

Hey,

 

we have configure a guest-network with captive portal logon but we have trouble with apple ios devices.

The captive portal website is not open when the devices connected to the wireless network.

 

One solution is to whitelist some apple urls captive.apple.com airport.us thinkdifferent.us that answer with a "Success" welcome page for testing internet connection. After this test is successful the captive portal login is loading.

 

So my question is how can I whitelist this urls?

 

Greetings Wolfgang

You should not need to whitelist any urls in order for iOS to activate the captive network assist.

 

What version of ArubaOS are you running on your controller?

thank you for your answer. controller is a 7210 and firmware is 6.5.4.8 If another solution is better always come with it

Is it only iOS devices that are unable to detect they are behind a captive portal? Do Android devices detect the portal correctly?

 

Can you post the output from the following commands:

 

show aaa authentication captive-portal

show references aaa authentication captive-portal <captive portal profile>

show rights <user-role referencing captive portal profile>

only problems with ios devices, android devices works correctly

 

172.16.0.229 is the ip from the external captive portal website

 

 

(WLC01) #show aaa authentication captive-portal

Captive Portal Authentication Profile List
------------------------------------------
Name                References  Profile Status
----                ----------  --------------
default             1
ExternalWebserver   1
Presse-cp_prof  1
test-cp_prof    0
VIP-cp_prof     1

(WLC01) #show references aaa authentication captive-portal ExternalWebserver

References to Captive Portal Authentication Profile "ExternalWebserver"
-----------------------------------------------------------------------
Referrer                                   Count
--------                                   -----
user-role "Externalcp" captive-portal  1
Total References:1

(WLC01) #show rights Externalcp

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'Externalcp'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 10
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 IP-Classification Enforcement: Enabled
 ACL Number = 73/0
 Openflow: Disabled
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE
 Captive Portal profile = ExternalWebserver

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                       Type     Location
--------  ----                       ----     --------
1         global-sacl                session
2         apprf-Externalcp-sacl  session
3         logon-control              session
4         allow-external-webserver   session
5         captiveportal              session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedi                                                       a  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-Externalcp-sacl
-------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
allow-external-webserver
------------------------
Priority  Source  Destination   Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------   -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    172.16.0.229  svc-http               permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

Can you provide one additional output that I negelected to request:

 

show aaa authentication captive-portal ExternalWebserver

 

 

(WLC01) #show aaa authentication captive-portal ExternalWebserver

Captive Portal Authentication Profile "ExternalWebserver"
---------------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       authenticated
Default Guest Role                                 guest
Server Group                                       internal
Redirect Pause                                     1 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Enabled
Use HTTP for authentication                        Enabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         http://172.16.0.229
Welcome page                                       http://www.beispiel.de
Show Welcome Page                                  Yes
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled
URL Hash Key                                       N/A

Is this SSID an open SSID, or is captive portal running on top of a WPA2 SSID? Curious why the captive portal page is running http and not https in order to secure the portal login from eavesdropping.

 

If you can run https on your portal, I would suggest modifying the allow-external-webserver policy to add a role allowing https to your portal in addition to http. iOS had started using https probes to check for a portal, so it may be having an issue with the redirect trying to switch from https to http.

 

Additionally, what is the external captive portal device? I have seen issues come up when the external captive portal was improperly handling the iOS cna probe ... in such a way that the iOS device would not prompt for the portal unless specifically using a browser. In that case though, we were redirecting to an https portal landing page, so it may not be the same issue coming into play here.

Hello Charlie, so for testing, I´ve created a new SSID (open SSID) with a internal Aruba Mobility Controller Captive Portal page, upload a trusted certificate and test with windows, ios and android devices. Windows and Android devices without problems, ios same problems. no opening captive portal website automatically, manually works.

What version of iOS? 

all Version if IOS.

 

We´ve tested devices with 9.x, 10.x and 11.x but with your help we could solve it because the problem was only that the captive portal page uses http and not https.

 

At my last test captive.apple.com was successful before the page was opening because one of my test was a local captive.apple.com website.

After connecting with the Open SSID ios devices checks some urls, for example captive.apple.com - if the request is successful no login page will be loaded, if the request is not successful the login page will be loaded.

 

Thank you very much for help.

It was a really big problem for use because the most users of this networks are apple users.

 

I still have one questione more.

On some ios devices (I see it with version 10.x and 11.x) after successful login on the captive portal page the page ist redirected to https://syndication.twitter.com/i/jot .

 

Greetings

---

@rout86 wrote:

 

I still have one questione more.

On some ios devices (I see it with version 10.x and 11.x) after successful login on the captive portal page the page ist redirected to https://syndication.twitter.com/i/jot .

---

The captive portal detection is working now?

 

I've seen similar behavior as you described above, but with a different social platform. Is there currently a redirect URL specified either in the captive portal profile, or that the external captive portal may be trying to send? Does the connection to https://syndication.twitter.com/i/jot stay within the CNA browser, or does the iOS device open Safari (or the default web browser) to attempt to connect?

yes, a redirection in the captive portal is configured twitter.com is opening with safari browser and not on the CNA browser Greetings

---

@rout86 wrote:
yes, a redirection in the captive portal is configured twitter.com is opening with safari browser and not on the CNA browser Greetings

---

I've seen this behavior when the site guest users are redirecting to uses tracking pixels embedded via javascript. Since the CNA browser is a limited use browser, IOS will close the CNA and launch Safari in order to handle the unsupported language/script type.

I´m not sure if I understand you correctly.

 

You think the code of my own coded website is the problem?

 

The code is from our webdesign partner so I don´t know which code is being used. I want to ask him tomorrow.

 

I have a test ssid with a aruba controller captive portal page, so I can test the scenario with the controller page for testing, is twitter page not loading then my own captive portal causes the behavior.

 

greetings nice evening

Just so that I understand the issue ... iOS clients are getting redirected to a Twitter URL after successful captive portal authentication? 

 

From the captive portal profiles shared earlier, there was no redirect URL listed, so is the external portal trying to redirect users to another site after authentication? If so, what is the redirect URL being used?

Can you please explain what exactly was the solution?

Thanks.

Glad to hear you got your fixed! We are having the same issue, when you say that the captive port is was only http, where exactly are you referring to in the controller?

 

Regards,

 

 

Hello, in your aaa-profile you can configure the Portal-URL

Would you be able to go into more detail in reference to http vs. https causing problems with the Apple CNA?  I have a very similiar setup using Clearpass as the Captive Portal with Aruba 7210 controllers.  We have publicly signed certificates on both our Clearpass appliance and our wireless controllers but CNA does not work.  Opening a web browser and attempting to browse anythign works fine.

 

Thank you.

good morning, since i used https with a public certificate I don´t have problems. CNA Browser is working anytime. you need HTTPS, "accepted" certificates and a FQDN which is resolvable.

Not able to auto-redirect the user to my Captive portal

We have developed a captive portal of our own with one of the ISP players in India. This captive portal has been developed for the 1st time by us. We have developed it from the scratch

However, i users are unable to be redirected to the captive portal post clicking on the SSID. The SSID is showing a message of "Unsecured Network"

 

Post reading few of the threads we have implemented few of the points at our end

1. Configured/ Allowed redirection to port 443 in our server.xml file
2. Installed valid SSL certificate on the webserver
3. Tried both "White-listing & Blocking" - captive.apple.com on our firewall

 

The only way the user is currently able to access the captive portal is as follows"

1. User clicks on the SSID
2. SSID shows a message "Unsecured Network" and no auto-redirection to captive portal
3. User opens safari browser and types google.com or apple.com or any other URL
4. User is forced to the captive portal

 

Would be great help if we could get some support from Apple team in order to resolve this issue as we have been stuck for nearly 2-3 weeks on this issue

I have same issue, three Aruba TAC engineer has tried to help fix without success.

Would be great to gain more insight. If this is common but there is a fix there should be a guide.
Did you ever get yours working?? Thanks